fix: conflict in permissions for decisions for active members

Active members were able to see the 'Meetings' tab due to the `decision_admin` being too broad. We could have gone for a `viewOrgan` privilege on the `decision_admin` object, however, it feels better to make it a separate `decision_organ_admin`.
tomudding · Oct 17, 2024 · f35548e · f35548e
1 parent 8bca4d4
commit f35548e
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 2 deletions.
diff --git a/module/Application/view/partial/admin.phtml b/module/Application/view/partial/admin.phtml
@@ -163,7 +163,7 @@ use Laminas\View\Renderer\PhpRenderer;
                             </ul>
                         </li>
                     <?php endif; ?>
-                    <?php if ($this->acl('decision_service_acl')->isAllowed('decision_admin', 'view')): ?>
+                    <?php if ($this->acl('decision_service_acl')->isAllowed('decision_organ_admin', 'view')): ?>
                         <li>
                             <a href="<?= $this->url('admin_organ') ?>">
                                 <?= $this->translate('Organs') ?>

diff --git a/module/Application/view/partial/main-nav.phtml b/module/Application/view/partial/main-nav.phtml
@@ -197,6 +197,7 @@ endif; ?>
                                 $this->acl('activity_service_acl')->isAllowed('activity_admin', 'view')
                                 || $this->acl('company_service_acl')->isAllowed('company_admin', 'view')
                                 || $this->acl('decision_service_acl')->isAllowed('decision_admin', 'view')
+                                || $this->acl('decision_service_acl')->isAllowed('decision_organ_admin', 'view')
                                 || $this->acl('education_service_acl')->isAllowed('education_admin', 'view')
                                 || $this->acl('frontpage_service_acl')->isAllowed('frontpage_admin', 'view')
                                 || $this->acl('photo_service_acl')->isAllowed('photo_admin', 'view')

diff --git a/module/Decision/src/Service/AclService.php b/module/Decision/src/Service/AclService.php
@@ -23,14 +23,15 @@ protected function createAcl(): void
         $this->acl->addResource(new Resource('gdpr'));
         // Define administration part of this module, however, sub-permissions must be manually configured.
         $this->acl->addResource(new Resource('decision_admin'));
+        $this->acl->addResource(new Resource('decision_organ_admin'));
 
         // users are allowed to view the organs
         $this->acl->allow('guest', 'organ', 'list');
         $this->acl->allow('user', 'organ', 'view');
 
         // Organ members are allowed to edit organ information of their own organs
         $this->acl->allow('active_member', 'organ', 'edit');
-        $this->acl->allow('active_member', 'decision_admin', 'view');
+        $this->acl->allow('active_member', 'decision_organ_admin', 'view');
 
         // users are allowed to view and search members
         $this->acl->allow('user', 'member', ['view', 'view_self', 'search', 'birthdays']);